Controls / MCSB / NS-1

MCSB NS-1: Network Security

25 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control NS-1 (Network Security). Each is checked against your tenant, ranked by Severity, with validated remediation.

25 checksNetwork SecurityTop Severity: High

What MCSB NS-1 covers

The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. NS-1 sits in the Network Security domain. Senserva evidences it with the 25 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.

Ask your own AI about this control

Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.

The 25 checks that evidence MCSB NS-1

Click any row for why it matters and how to fix it, with a link to the full check page.

Senserva checkSeverityWhat it verifies
Internet Facing VM Protected By NsgHighInternet-facing VM is protected by a Network Security Group (NSG)
Intune Policy Firewall Domain Network Default Inbound ActionHighWindows Firewall default inbound action for Domain network is not set to Block
Intune Policy Firewall Domain Network EnablementHighWindows Firewall is not enabled for Domain network profile
Intune Policy Firewall Private Network Default Inbound ActionHighWindows Firewall default inbound action for Private network is not set to Block
Intune Policy Firewall Private Network EnablementHighWindows Firewall is not enabled for Private network profile
Intune Policy Firewall Public Network Default Inbound ActionHighWindows Firewall default inbound action for Public network is not set to Block
Intune Policy Firewall Public Network Disabled Inbound Action NotificationsHighWindows Firewall inbound action notifications not disabled for Public network
Intune Policy Firewall Public Network EnablementHighWindows Firewall is not enabled for Public network profile
Intune Policy Firewall Public Network IP Sec MergeHighIPsec exemptions are allowed on Public network profile
Intune Policy Firewall Public Network Local Policy MergeHighLocal firewall policy merge is enabled on Public network profile
Intune Policy Firewall Public Network Log Dropped PacketsHighWindows Firewall is not configured to log dropped packets on Public network
Intune Policy Firewall Domain Network Disabled Inbound Action NotificationsMediumWindows Firewall inbound action notifications are not disabled for Domain network
Intune Policy Firewall Domain Network Log Dropped PacketsMediumWindows Firewall is not configured to log dropped packets on Domain network
Intune Policy Firewall Private Network Log Dropped PacketsMediumWindows Firewall is not configured to log dropped packets on Private network
Intune Policy Firewall Property Not FoundMediumExpected firewall property was not found in the Intune policy configuration
Network Flow Logs ConfiguredMediumTODO: Network flow logs configuration check. Not yet implemented
Non Internet Facing VM Protected By NsgMediumNon-internet-facing VM is protected by a Network Security Group (NSG)
Nsg Flow Logs EnabledMediumNSG flow logs are enabled for network traffic monitoring and forensics
Intune Policy Firewall Private Network Disabled Inbound Action NotificationsLowWindows Firewall inbound action notifications are not disabled for Private network
Intune Policy Firewall Domain Network Log Max File SizeInfoWindows Firewall log file size for Domain network is below recommended threshold
Intune Policy Firewall Domain Network Log Successful ConnectionsInfoWindows Firewall is not configured to log successful connections on Domain network
Intune Policy Firewall Private Network Log Max File SizeInfoWindows Firewall log file size for Private network is below recommended threshold
Intune Policy Firewall Private Network Log Successful ConnectionsInfoWindows Firewall is not configured to log successful connections on Private network
Intune Policy Firewall Public Network Log Max File SizeInfoWindows Firewall log file size for Public network is below recommended threshold
Intune Policy Firewall Public Network Log Successful ConnectionsInfoWindows Firewall is not configured to log successful connections on Public network

Also evidences

The same checks provide evidence for these frameworks, so one fix counts across your obligations:

Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.

Sponsored by Senserva

Siemserva by Senserva runs the checks that evidence MCSB NS-1 (Network Security) across your own tenant: which tenants pass, which fail, ranked by Severity with the evidence attached.

  • 650+ Microsoft 365, Intune, Defender, and Entra ID checks in one scan
  • Findings mapped to SCuBA, CIS, NIST, HIPAA, SOC 2, and MCSB for audit-ready evidence
  • Senserva Trustworthy AI driven configuration remediation: validated, approve-before-apply fixes
  • Multi-tenant and MSP practices, with bulk tenant audits and client-ready reporting
Siemserva by Senserva
Compliance Status Report
MCSB NS-1 (Network Security) across 2 tenants, ranked by Severity
23
FAILING
87
PASSING
41
OTHER FINDINGS
Estimated report, sample data for illustration
Get Going with Senserva Senserva compliance Built for IT admins, security teams, and auditors, with audit-ready evidence. Senserva is a Microsoft Intelligent Security Association member.
Microsoft 365 compliance and audit evidence
How a control becomes audit evidence, click to play

From finding to audit evidence, in two minutes. Watch page · All videos.

Reference: the compliance frameworks crosswalk, the check reference, and the audit guide.
Data notice: control mappings describe which Siemserva checks provide evidence for a control and are informational only, without warranty. They do not constitute compliance advice or certification; confirm requirements with your assessor. All use is subject to the Senserva EULA.